DomainKeys Identified Mail is a digital email signing/verification technology, which is already supported by some common mail providers. (For example yahoo, google, etc).

−

= What is it? =

+

== The idea ==

−

It is digital email signing/verification technology, which included into RFCs and already supported by many mail servers. (For example yahoo, google, etc).

−

== How it works? ==

+

Basically DKIM means digitally signing all messages on the server to verify the message actually was sent from the domain in question and is not spam or pishing (and has not been modified).

−

Sender signs email with private key.

+

*The sender's mail server signs outgoing email with the private key.

−

Receiver gets signed email, request public key from DNS and verify it.

+

*When the message arrives, the receiver (or his server) requests the public key from the domain's DNS and verifies the signature.

−

So you can check who actualy sent this email.

+

This ensures the message was sent from a server who's private key matches the domain's public key.

−

For more info see [http://tools.ietf.org/html/rfc4871 RFC 4871]

+

For more info see [http://tools.ietf.org/html/rfc6376 RFC 6376]

−

= Installation =

+

== Installation ==

−

Install opendkim: pacman -S opendkim

+

[[pacman|Install]] the package {{Pkg|opendkim}} from the [[Official repositories]].

−

You may add user for opendkim or user existing (for example: postfix)

+

You may add an user for opendkim or use existing one (for example: postfix)

−

= Generic configuration =

+

== Basic configuration ==

* Generate key:

* Generate key:

−

<pre>

+

opendkim-genkey -r -s server1 -d example.com

−

openssl genrsa -out private.key 1024

+

* Create {{ic|/etc/opendkim/opendkim.conf}} (see example in the same directory)

−

openssl rsa -in private.key -pubout -out public.key

−

</pre>

−

* Create /etc/opendkim/opendkim.conf (see example in the same directory)

Minimal config:

Minimal config:

−

Domain YOUR-DOMAIN1.com, YOUR-DOMAIN2.com

+

{{hc|/etc/opendkim/opendkim.conf|

−

KeyFile /path/to/private.key

+

Domain example.com

−

Selector server1

+

KeyFile /path/to/keys/server1.private

−

Socket inet:8891@localhost

+

Selector server1

−

UserID postfix

+

Socket inet:8891@localhost

+

UserID opendkim

+

}}

−

* Add DNS record with your selector (see Selector in config, you may choose random name) and key:

+

* Add a '''DNS TXT''' record with your selector and public key. The correct record is generated with the private key and can be found in {{ic|server1.txt}} in the same location as the private key.

−

<pre>

−

server1._domainkey IN TXT "k=rsa; p=MHwwDQYJK ... OprwIDAQAB; t=y"

−

</pre>

−

* Run it with /etc/rc.d/opendkim start or add it to DAEMONS in /etc/rc.conf

+

* Enable and start the {{ic|opendkim.service}}. Read [[Daemons]] for more information.

−

= Postfix integration =

+

== Postfix integration ==

Just add

Just add

Line 50:

Line 46:

master.cf example:

master.cf example:

−

<pre>

−

smtp inet n - n - - smtpd

−

-o smtpd_client_connection_count_limit=10

−

-o smtpd_milters=inet:127.0.0.1:8891

−

submission inet n - n - - smtpd

+

smtp inet n - n - - smtpd

−

-o smtpd_enforce_tls=no

+

-o smtpd_client_connection_count_limit=10

−

-o smtpd_sasl_auth_enable=yes

+

-o smtpd_milters=inet:127.0.0.1:8891

−

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

+

−

-o smtpd_sasl_path=smtpd

+

submission inet n - n - - smtpd

−

-o cyrus_sasl_config_path=/etc/sasl2

+

-o smtpd_enforce_tls=no

−

-o smtpd_milters=inet:127.0.0.1:8891

+

-o smtpd_sasl_auth_enable=yes

−

</pre>

+

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

+

-o smtpd_sasl_path=smtpd

+

-o cyrus_sasl_config_path=/etc/sasl2

+

-o smtpd_milters=inet:127.0.0.1:8891

+

+

== Notes ==

+

While you're about to fight spam and increase people's trust in your server, you might want to take a look at [http://de.wikipedia.org/wiki/Sender_Policy_Framework Sender Policy Framework], which basically means adding a DNS Record stating which servers are authorized to send email for your domain.

Revision as of 10:48, 22 January 2013

DomainKeys Identified Mail is a digital email signing/verification technology, which is already supported by some common mail providers. (For example yahoo, google, etc).

Notes

While you're about to fight spam and increase people's trust in your server, you might want to take a look at Sender Policy Framework, which basically means adding a DNS Record stating which servers are authorized to send email for your domain.